Ghosts in the Voting Machines

Christine Hall

Whether or not foreign governments are planning on manipulating our election results in November, it’s past time we started taking the security of electronic voting seriously.

Op-ed

Even if it turns out that the FBI’s suspicions that Russian government forces are behind the hacking of the Democratic party turn out to be untrue, the fact our government is willing to publicly speculate on the possibility should be cause for some alarm. While it’s true that from a hacking sense the Democrats’ computers were probably low lying fruit and easy pickings, so are many of the voting machines that will be called into service in November’s general election.

For decades we’ve known that many voting machines are subject to tampering, and many reasonable people are suspicious that tampering on the state level has already affected the outcome of some elections. This year we can double down on those concerns. In an era when politically motivated officials have been putting in place draconian voter restrictions in order to quell largely unproven fraud by a handful of individual voters, we’ve connected our voting machines to the Internet, which is an open invitation to foreign governments that might have a reason to want to have control over who governs us. In light of the recent allegations against Russia, that should be worrisome.

It’s not just me who’s concerned. In an article published Wednesday by the Washington Post, security technologist and open source advocate Bruce Schneier expressed his concerns that if the recent Democratic party security breaches were indeed carried out by the Russian government, they may be a precursor of things to come.

“If foreign governments learn that they can influence our elections with impunity, this opens the door for future manipulations, both document thefts and dumps like this one that we see and more subtle manipulations that we don’t see.”

Schneier is particularly worried about the vulnerability of the technology used in balloting. “[W}e need to secure our election systems before autumn,” he wrote. “If Putin’s government has already used a cyberattack to attempt to help Trump win, there’s no reason to believe he won’t do it again — especially now that Trump is inviting the ‘help.'”

Trump supporters and adversaries alike, I’m sure, will agree that no good can come from foreign governments manipulating our election results.

Again, we are vulnerable to such attacks. Most if not all voting machines in use in the U.S. are proprietary, meaning there’s not only no way to determine if there are back doors available to corrupt state officials, there is no way to check for other security vulnerabilities either. The fleet of machines being used is also aging, with CounterPunch reporting that in South Carolina all voting machines are more than 10 years old and in no state are all machines less than 10 years old.

They are often vulnerable in other ways as well. In the Post article, Schneier points to a year old item in the Guardian reporting that in Virginia “[t]ouchscreen voting machines used in numerous elections between 2002 and 2014 used ‘abcde’ and ‘admin’ as passwords and could easily have been hacked from the parking lot outside the polling place, according to a state report.”

“But while computer security experts like me have sounded the alarm for many years,” Schneier says, “states have largely ignored the threat, and the machine manufacturers have thrown up enough obfuscating babble that election officials are largely mollified.”

Schneier is calling for immediate and independent testing of all voting machines and for pulling those that don’t pass muster offline. Going forward, he suggests that we “return to election systems that are secure from manipulation,” in part meaning no voting machines without a voter-verified paper audit trail and absolutely no Internet voting. “I know it’s slower and less convenient to stick to the old-fashioned way, but the security risks are simply too great.”

All of this makes great sense and although Schneier is so far the only voice suggesting we protect the vote from a Russian intrusion, he’s not the only one sounding an alarm over voter security. In December, New York University’s Lawrence Norden and Christopher Famighetti pointed out on Phys.org: “Many older voting systems rely on outdated operating systems, like Windows XP and 2000, which are no longer supported. Several election officials told us that they stockpile refurbished laptops that can run obsolete versions of Windows.”

It seems doubtful we’ll see anything more than a band aid approach before November, which is unfortunate. A large number of U.S. citizens already feel our election system is rigged and that the individual’s vote doesn’t matter. A wholesale hacking of the voting system of just a single state, whether by a foreign government or someone else, would only further erode voter confidence in the system.

Related

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

This is not a partisan issue. Vulnerable voting machines have the potential to harm everybody: Democrats, Republicans, independents, third parties, everyone who votes and even everyone who doesn’t (seeing as how even if you don’t vote you’re still affected by who wins).

There is no such thing as a secure voting machine. What goes on in a machine is hidden. You have to trust a small number of individuals to ensure that the hidden software accurately tells the truth. And it’s easy to corrupt a small number.

My local voting precinct has three modern touch screen black box electronic voting machines. I don’t use them. I walk in on election day, present my registration/identification, and ask for a paper ballot.

The precinct workers know me by now and are ready to accommodate my request. Your right to vote will not be denied, you do not have to use an electronic black box voting machine.

I mark my selections using a pen on my paper ballot, I fold the ballot, and I place it in a ballot box. This is very satisfying, as opposed to using an electronic black box voting machine where you hope your vote is properly recorded.

It is not possible to verify a vote on an electronic black box voting machine, even those with a paper backup system.

Congratulations Christine for connecting tech with their actual applications and the ensuing appeal of corruption. Harvey Wasserman of Ohio has been talking and writing about this for years. See for example: http://www.democracynow.org/2016/2/23/could_the_2016_election_be_stolen
or Billionaires & Ballot Bandits: How to Steal an Election in 9 Easy Steps by Greg Palast, an amazing investigative journalist.
The one correction I would make to your analysis is that it is a mistake to identify foreigners as those with most to gain by manipulating elections. The worst actors, with the most to gain, are high domestic politicians and corporations with local connections. Look what happened in the recent Demo primaries that were manipulated in every way to exclude and downplay Bernie. Can anyone imagine the same people would stop at flipping election results on a vulnerable computerized machine?

@Paul Palmer You must have missed the part that mentioned people’s suspicions “that tampering on the state level has already affected the outcome of some elections” and mentioned possible “back doors available to corrupt state officials.” 😉

@Christine – You’re quite right Christine. You did cover domestic mischief. I was just reacting to the blather coming from Hilary and Trump about Russian interference in the elections as they seek to divert attention from what their own parties are doing to change election results.

So how is it that countries as rich as France and as poor as Brazil have electronic voting and no one raises concerns about their systems? Election results are available as soon as the polls close and no one, including security wonks, say their e-voting systems are hackable and should not be trusted.

> “So how is it that countries as rich as France and as poor as Brazil have electronic voting and no one raises concerns about their systems? Election results are available as soon as the polls close and no one, including security wonks, say their e-voting systems are hackable and should not be trusted.”

You haven’t been following the subject closely.

Every country that has deployed e-voting has been subject to security issues. Experts have voiced concern, but have been largely ignored.

It goes without saying that any process as complex as a national election will have issues about accuracy and the ability to corrupt the count. We learned in Florida (2000?) that punched paper routinely has mispunches and hanging chads. For hundreds of years, paper ballot boxes have been stuffed and ballots found floating in the ocean while some of them are voted by dead people. This happens when parties with an interest in the outcome have control of the process. In Ohio and Florida and other places we have seen Repub governors with Repub Sec’s of State and Repub Election Commissioners joined to Repub voting machine manufacturers who have total control over the software and no one allowed to see the code. Get the partisan controllers out of the process entirely with a public, transparent process such as this FOSS group represents and I’ll bet 98% of the problems disappear.

Yup, Roger_Babson_5_Sep_1929, Mike’s spot on. All the countries trying online voting have *serious* problems with their systems and have in some cases proceeded despite that. Most have abandoned their efforts when it was shown (in nearly every case) that their systems could *easily* (trivially, in most cases) be compromised. Low-tech (and understandable by any literate person) is a huge feature for the democratic process.

having all the software and even the hardware of the voting machines 100% open source would not make ANY difference at all. Because it would be impossible to actually verify DURING the voting that a machine is actually built to published spec and is running the open source audited software.

The problem is a thorny one, but open source machines/software could be spot checked and audited by independent groups. Repeatable binary builds plus digital signatures on both the code and the resulting data sets (in addition to hardware validation – expensive but possible) could be done. This is better than the current situation where secret code produced in secret is used with no transparency possible.

OK, then I’ll try to express the same concept, with hopefully clearer words. What about these ones:

“open source would not make ANY difference at all”

(besides being in the end more expensive than the plain paper ballot counts) the spot checks and audits you talk about would not make any difference. No, worse. They would be unfeasible.

Because the only check that would matter would be on, and with, the REAL input data. In other words, your audits would be meaningless unless you did them during the actual ballot, ON the actual ballot. That is, without also asking users (voters) to tell you what they are actually voting.

Still wrong. If you validate the machines before distribution (assuming they are provided unique hardware enforced cryptographic signatures) and the software load is both digitally signed and validated by the hardware itself, then the resulting data set can be uniquely signed by that machine ID and you could with a high degree of certainty believe that the data output by that machine was correct and not tampered with. Suspect districts could be audited much more feasibly than is currently possible. You could even do interesting things like post the entire result set in a distributed manner to multiple providers and issue unique generated transaction #’s to every voter (a receipt if you will). Every single voter could validate that their vote actually made it into the result set with the correct vote to help flag problem areas. This is unlike anything that has ever been done before.

With the right hardware and planning this would make it prohibitively difficult to falsify a result set – you’d have to duplicate an entire set of voting machines with modified firmware, get it signed with a valid key, and get them swapped in place of the correct ones without anyone knowing and then eternally prevent anyone from getting audit access to said machine after the fact. This would dramatically reduce the possibility of fraud vs the closed source garbage being done currently.

I’m not saying it is cheaper/easier than paper ballots, just better than any e-voting scheme currently in use.

I still strongly disagree with the actual feasibility and realism of several technical points you make, from “Every single voter could validate that their vote actually made it into the result” to “you could with a high degree of certainty believe..”

However, this doesn’t really matter. Thanks for highlighting the real issue, and pointing out a weakness/uncompleteness of my initial assertion:

“I’m not saying it is cheaper/easier than paper ballots, just better than any e-voting scheme currently in use.”

I agree. I should have said from the beginning “[AT THE END OF THE DAY] open source would not make ANY PRACTICAL/MEANINGFUL difference at all”

Even with Open Source Everything, on one hand the efforts needed to make electronic voting not look ridiculous at least in theory and the risk if something goes wrong in practice are so high; on the other, there is no real reason to even try electronic voting in the first place. What do you get, once you have acknowledged that it cannot be cheaper than paper ballots, from e-voting? The fact that you know the results (*) half a day, or one day earlier? Is that something an adult show worry about, and consider a reason to take the risk? Come on!

(*) and it is faster only if you admit and accept that the paper trail is just for show, and will never be used

@Marco: Well, if we start talking about online voting instead of simply using (ideally disconnected) computerized voting machines at polling places, then the benefit is a potentially massive increase in voter turnout.

The downside, of course, is that online voting is even harder to secure and verify — perhaps insurmountably so.

Online voting? First, “massive increase in voter turnout” by online voting (assuming it would actually happen, which is far from granted) would not be a benefit at all. It would be a huge problem, or more exactly a symptom/proof of a huge problem. People so smart and mature that will vote only if it’s as easy and game-like as clicking a button… that’s not democracy. Don’t even get me started on that.

And in any case, online voting is intrinsically, totally stupid. Much more than e-voting inside voting stations, of which I already talked.

Because “making online voting secure and verifiable” is as smart as fireproofing just the BOTTOM of a tin oil tank that you KNOW will be hit by a flamethrower from the SIDE.

Online voting is voting from everywhere, without control and protection. Including the living room of whatever politician, mobster, you name it… who would tell you “vote in front of me as I say, and I’ll give you X bucks. Vote otherwise, and you’ll wake up in the hospital”.

Get real, please.

Final notes:
1) sorry if this comes out harder than it would if we could discuss it face to face. Nothing personal, but seeing certain stuff really heats me up

2) What I’ve written here is just the English version of something I wrote years ago in Italian on the same topic. I’ll later rearrange all these comments in one single post on my own blog. Thanks for the stimuli

Thad, that assumption (greater voter turn out due to the assumed convenience of online voting) has motivated a lot of attempts at online voting internationally. There’s very little evidence to suggest that this assumption is valid. Ultimately, the global decline in voter participation seems less to do with convenience and more to do with voters feeling disenfranchised and disempowered.

@m: The problem with your reasoning — that we shouldn’t make it easier to vote because then ignorant people will vote — is that it’s been used historically (and, for that matter, recently) to disenfranchise minorities, young people, poor people, and women, to name a few examples off the top of my head. I believe that allowing more people to vote is inherently a good thing, and erecting barriers to voting is, by definition, undemocratic.

I believe that more people should have the opportunity and the inclination to vote. If that means more people will be voting in a way that isn’t how I vote, then so be it.

“Online voting is voting from everywhere, without control and protection. Including the living room of whatever politician, mobster, you name it… who would tell you “vote in front of me as I say, and I’ll give you X bucks. Vote otherwise, and you’ll wake up in the hospital”.”

I vote by mail. Are you opposed to that, too? Because it’s vulnerable to the same kinds of bribes and threats.

It seems to me that among the range of effects from a wholesale hacking of the electoral computers, erosion of confidence in the system would be among the few useful ones. People should lack confidence in the system, and if it gets hacked such lack of confidence would be all the more justified.
Surely the main problem would be more along the lines of “having a government which was not actually elected by the American people”–not, by some accounts, that it would be the first time.

On the other hand, the American electoral system seems to have presented the American people with such incredibly uninspiring choices that foreign intervention would actually have a hard time not improving things, try though they might. Trump or for that matter Clinton as Putin’s puppet, or Xi’s say, would be hard pressed to hurt the United States and the world worse than we could expect them to on their own hook.

First of all, “@m” is always me, Marco Fioretti. Sorry if this confused somebody. I hit “enter” before checking that I had entered the right name.

Now, answering @Thad:

“I believe that allowing more people to vote is inherently a good thing, and erecting barriers to voting is, by definition, undemocratic.”

I am pretty sure that you are confusing voter registration, that is an exclusively USA/anglo-saxon problem, with voting banalization. Making voter registration as it is in USA today **is**, undemocratic and, even before that, terribly stupid. In Italy and many other countries such an issue doesn’t exist at all. Basically, every officially resident citizen *is* also automatically registered to vote in his/her district of residence: for free, forever, period. It is democratic as it can be, and it just works.

Voting online, instead, is voting banalization, especially if used to make more people vote. Make voting as simple as clicking, and too many people, beginning exactly from those who didn’t vote because they couldn’t get their ass off their couch, won’t value their right to vote, and above all the **consequences** of their votes, enough. See all the Britons shocked because they voted Brexit without realizing that it was for real, and what they were doing.

“I vote by mail. Are you opposed to that, too?”

Of course I am. Exactly because “it’s vulnerable to the same kinds of bribes and threats”. And because..

Voting by mail doesn’t exist in Italy for national elections, except for Italians living abroad. But even without that and 100% manual voting, thanks to the automatic registration said above and other similar measures, voter turnout is much higher than in USA, and we know the official results within 24 hours.

The problems with voting in USA are largely LOCAL problems that USA citizens created and perpetuate themselves, by not voting representatives that change the whole voting/voting registration system, and going after false solutions like e-voting

@Marco: Voter registration suppression is part of the issue, certainly. But there are other means of voter suppression, currently and recently active. If you’re in Italy then I can understand not keeping up on US electoral news, but just within the past few weeks we’ve seen some major judicial takedowns of partisan/racially-motivated voter suppression laws. This includes narrowing the number of days in which it’s possible to vote, reducing the number of open polling stations, banning practices like allowing church organizations to solicit sealed absentee ballots and submit them en masse, and voter ID laws that target students, minorities, and the elderly.

These disenfranchisement efforts have been carried out under the cloak of concern for voter fraud — despite the lack of evidence that voter fraud is occurring in any significant numbers. Your concerns are similarly off-base — a mafia boss threatening to shoot people who don’t vote the way he wants them to, while he watches? Respectfully, *are you frickin’ kidding me?* I’m a lot less worried about made-up, unsubstantiated hypotheticals than the *actual* voter suppression efforts that they are being used to support.

I’ve been voting by mail for 16 years. This includes two presidential elections, one midterm election, some primaries, and a couple of local races during the years I was in college, living a three-hour drive away from the district where I am registered to vote. I suppose I could have registered to vote in the city where I went to college, but I considered my hometown to be my permanent place of residence, as I knew I’d be going back there, and those races were far more impactful to me.

Put simply: voting by mail made a hell of a lot more sense than a six-hour round-trip drive to my polling place and back.

And nobody ever attempted to bribe or threaten me to influence my vote. That’s just silly. The people who manipulate elections with money or threats do so on a far larger scale than rounding up individual voters. That’s why this discussion is (or originally was) about the vulnerability of voting machines to technological compromise: because *that* is the sort of large-scale target that poses a legitimate threat to the electoral process. A mafia guy threatening me over my mail-in ballot is not; that is a thing that doesn’t happen in real life.

More recently, in the years since I moved back to my hometown, I’ve continued voting by mail simply because it’s more convenient. Maybe that’s the banalization you’re clutching your pearls over; maybe I’m not sacrificing enough by arranging time off from work and standing in line to properly *appreciate* the importance of my vote. But I tell you I do more research before I vote than anybody else I know.

“The problems with voting in USA are largely LOCAL problems that USA citizens created and perpetuate themselves, by not voting representatives that change the whole voting/voting registration system”

Yes, and suggesting that the solution to this problem is to make sure more people don’t vote is a lot like suggesting that the best way to get out of a hole is to keep digging.

The politicians we have are the ones who have been elected under the electoral system we already have. You’re suggesting that we need different politicians and policies, while simultaneously saying that we shouldn’t encourage more people to vote than the ones who already do, because they won’t take it seriously enough.

You know who the most dedicated and politically involved voters are? The people who vote in party primaries. Do the folks who just nominated Donald Trump really strike you as well-informed people with sound judgement?

@Thad, postal voting is also fraught (although not as bad as online voting), and I’m against it. I’m a dual US/NZ citizen (living in NZ). Both countries have made the grave error of adopting postal voting, even for crucial elections (e.g. national gov’t). Postal voting, although not nearly as easily compromised en masse as online voting, still allows for standover tactics (voter intimidation) and postal fraud (which is easier to perpetrate on reasonable scale than ballot fraud)… If we want to build voter trust in the democratic process (which is fundamental to a functional democracy), then both are foolish.

“but just within the past few weeks we’ve seen some major judicial takedowns of partisan/racially-motivated voter suppression laws.”

I DO know of such cases. I’ve been following as closely as I can these issues for years now, exactly because I am fascinated by how this is an exclusively USA problem, created exactly by not demanding automatic voter registration.

“a mafia boss threatening to shoot people who don’t vote the way he wants them to, while he watches? Respectfully, *are you frickin’ kidding me?*

Not at all. More likely, I just happen to know the USA situation better than you know the one in certain parts of Italy, or outside USA in general. I just dramatized the whole scene a bit. What would actually happen, because it already happens in a few cases, but on an infinitely smaller scale than it would be with online voting, is that the boss would say “here are 50 Euros, if you vote now as I say”. Of course, even the “boss” is an extreme. In many cases, it would be a “normal” candidate.

“maybe I’m not sacrificing enough by arranging time off from work and standing in line…”

I’ve been voting for a few decades now. It never took me more than 30/40 minutes from the moment I went off my door, WALKED to the polling station, voted, and went back home. This is more or less the standard in all of Italy, and with a voter turnout always sensibly higher than USA. Again: the long lines are an USA problem, that continues to exist because Americans don’t learn by other countries.

“Yes, and suggesting that the solution to this problem is to make sure more people don’t vote”

This is only your assumption, and it is wrong. Compare voter turnout in Italy and USA to verify it.

“You’re suggesting that we need different politicians and policies, while simultaneously saying that we shouldn’t encourage more people to vote than the ones who already do…”

NOT at all. I am NOT saying that. I am saying that trying to encourage more people to vote by banalizing and jeopardizing the vote by porting it online is wrong in principle, but above all delusional. See Dave Lane’s comment,who already explained this. Finally…

“Do the [most dedicated and politically involved voters who just nominated Donald Trump] really strike you as well-informed people with sound judgement?”

If you guys over there still have some hope to NOT have Trump as next President is exactly because it is not possible to vote online, that is to handle that election just like any other click-and-forget, frustration-relieving reality show.

I can hardly believe my eyes as I read about Mafia bosses holding guns to voters heads and flamethrowers and voting in Italy and committing fraud with ballots that are mailed in. There must be voting going on on another planet. Folks, this doesn’t happen. Nobody wastes time manipulating a vote here and a vote there. What is happening as we speak is “caging lists” of a hundred thousand voters in a swing state named e.g. Manuel Ramirez (guess which party he probably votes for) being struck off the rolls in Florida because there is a Manny Ramirez registered in North Carolina so obviously one person is voting in both states. This is Republican strategy to swing entire states. And gerrymandering, which has made safe Republican districts all over the country and can’t be changed until the next census. This is reality right now, not some password getting stolen by a hacker or some Mafia boss. Voter suppression and ID laws, gerrymandering, caging lists and secret voting machine connivance are stealing whole states and changing which Senators and President etc. are elected in one election after another in the 21st century. If we can mostly all use our computers for banking (REAL MONEY TO BE STOLEN !) and it mostly works, an honest attempt to do online voting has got to be way better than anything we have now.

1) the whole “Mafia boss” thing as I explained it here is an oversimplification of a REAL problem, that would only become much more serious with online voting. The fact that it may not be an issue in your own little corner of the planet, i.e. USA, is no reason to exclude it for everywhere else

2) the whole mess of “caging list”, gerrymandering, “voting machine connivance” etc… which, believe me, I DO know better than you know the situation outside USA, is a USA/anglosaxon problem ONLY. And a mess that only happens when voter registration isn’t automatic, and vote casting/counting is not 100% manual, as it is in Italy. I had already mentioned this

3) The only reason why “we can mostly all use our computers for banking (REAL MONEY TO BE STOLEN !)” is a) that with online banking it is surely, immediately evident when something went wrong, and where, and b) that the “overlords” of the whole system, i.e. the banks, do NOT want such problems to happen, and actively prosecute those who create them. In other words, how we do online banking is no guide at all, and not applicable, to online voting

As I already said, I am using this discussion as a draft for the English version of something I already wrote about electronic and online voting. As soon as I will have time, I will reformat it properly, and let you know the URL, so you can all comment something more readable than this series of comments. In the meantime, thanks for your help to reorganize my thoughts.

@Marco: Since you bring up the writing you are doing, I will mention the book I already published on online voting called THE ENDGAME OF POLITICS sold on Amazon but you must search for ENDGAME PALMER to find it.
My discussion is about a much more radical form of online voting than this namby pamby business of voting for one more raft of corrupt candidates to continue selling their votes to the highest bidding lobbyist i.e. the US Congress. What I sketch out is getting rid of all representation entirely and instituting true democracy like New England style voting where the entire electorate votes on laws and regulations and budgets and everything else and there are no bogus representatives anywhere in the picture.
I’m sure everyone will want to jump on such a commonsense proposal and tell me how it will never work, it will be hacked to death etc. etc. ad nauseum. That’s why I wasn’t going to mention it in this discussion until you brought up your own writing.
And by the way, online voting is now used in Estonia and you can read a spirited endorsement by an Estonian election official on the web.

As far as Estonia is concerned, I have also read the estoniaevoting.org report, and stand by my point.

This said, thanks for the pointer to your book. Everything I have written here so far ONLY applies to elections of presidents, mayors, parliament/council members, or brexit style referendums. That is cases
where a) major, maybe international issues are at stake, and b) actual voting wouldn’t require more than 1 minute, regardless of HOW it’s done. I agree that it is not applicable to what you mention now.

The “much more radical form of online voting” you are after, which at least in Europe is often called “direct democracy” is, indeed, a different, much bigger, more complicated issue. And whether it is good and feasible or not depends on many more things before the actual voting mechanism.